Data management for cybersecurity: Know the essentials

If you want to know who the attackers are and what they’re doing, focus on data management for cybersecurity

By Stu Bradley, Vice President of the Cyber Business Unit at SAS

“Imagine how expensive it would be to create a 20-foot brick wall around your building, and how inexpensive it is for the bad guys to buy a 30-foot ladder,” said Steven Chabinsky, a 15-year FBI veteran and Chief Risk Officer at the cybersecurity tech firm CrowdStrike. “If the response to that security breach is a government mandate to build a 40-foot wall, and I spent my money on that, then the attackers buy a 50-foot ladder. Where does it end?”

Read the paper: Stronger Cybersecurity Starts With Data Management

If your cybersecurity program focuses primarily on keeping intruders out of your networks, that needs to change. The answer isn’t to build higher walls and tighter controls around our information infrastructures. The answer is to have threat deterrence that works even against determined, targeted threats. You have to have visibility into network activities and the ability to rapidly detect and trace attacks. That requires strong data management in cybersecurity.

Tighter perimeter controls are only part of the answer. Attackers are going to get in. You need to know where they are and what they’re doing – and that requires strong data management for cybersecurity.

Why data management is needed for cybersecurity

Security teams generally haven’t needed to have a deep data science background, so they tend to underestimate the importance of data management in security analytics. As with any function or application, weak data leads to weak results. In cybersecurity, that means too many false positives for overburdened security analysts, higher risk of successful breaches, and greater losses from each breach.

Solid data management is essential, but the task is particularly complex in cybersecurity, for a number of reasons:

Data volume and velocity. Organizational networks can generate petabytes of data per second from normal activities. Add to that all the data associated with the growth of network-connected mobile devices, sensors and cloud-based services. As the data points multiply, so does the attack surface. The whole cyberanalytics process must be able to scale to keep pace.

Multiple data sources. A security analytics program might integrate thousands of data elements. The needed data lives in many systems, such as web and system logs of user activity, threat feeds, user metadata, blacklists of users and IP addresses, router and switch logs, network monitoring systems and more. How do you bring it together for analysis, especially when some data is under the purview of the IT team, not the security team?

Data diversity. Data formats may vary by category of systems and by vendor. Field names, values and meanings vary across systems. The same event code can mean something entirely different in two places. All these disparities must be matched and reconciled in a security environment that is constantly changing.

Data (dis)organization. In its native state, cybersecurity data is rarely organized to support ease of retrieval and analysis. The organizing principle is often when the data was created. “Finding specific data can be like searching in a library where the books are shelved in the order they were acquired,” said Evan Levy, Vice President of Business Consulting for Data Management at SAS, in an International Institute for Analytics webinar.

Unique data storage requirements. The source data has to be stored together in a manageable way. It’s not just a matter of storing a large volume of content, but also anticipating how you will use the data and what detail to store for how long. “You need to keep enough history accessible to analysts for establishing baselines and doing retrospective investigations,” said Levy. “You don’t want to store all the detail indefinitely, but if a breach is discovered 100 days after the fact, you want to be able to do some level of historical reconstruction.”

A patchwork of security tools. A typical large organization may have dozens of security tools – each one looking at one part of the picture, and each with its own data and reporting formats. Each new defensive layer, vendor switch or even new version can introduce additional complexity.

Inflexible reporting and query systems. Most cybersecurity tools are more like transactional systems, organized to collect data and process it in predetermined ways. But analysts must be able to query the data, to drill down and look across data sources. They want to query large volumes of data without having to do endless data preparation.

5 steps to stronger data management for cybersecurity

Adopt and adapt data management standards for cyber. Establish a continually updated “card catalog” of data sources and the content of each one, with standards for formatting, naming and combining. Large organizations have been cataloging data sources all along for business applications, email systems and data center platforms. This discipline just needs to be extended to security analytics.

Empower security analysts with the right tools and platform. Implement a data management and analytics platform that can correlate and optimize network communication data, enrich it with business and security context, and prioritize intelligence for rapid consumption. Analysts can then build a complete picture – not just see that a breach occurred, but what it touched and what it did.

Establish a cybersecurity vanguard. By nature, information security professionals love boundaries. They tend to isolate themselves from other areas in the organization – and from data management practices and expertise that exist in other domains. Cybersecurity analysts should establish executive sponsorship and align with their counterparts elsewhere in the organization to share best practices.

Manage for flexibility. Cybersecurity is a moving target, and so is its data. Tomorrow’s channels and attacks will be different from today’s. Data sources evolve and multiply, and analytical methods improve. “A successful data management program for cybersecurity has to be in motion, comfortable with change, and able to cope with the surprises and challenges that will inevitably arise,” said Chris Smith, Director of Cybersecurity Strategy at SAS.

Find and fix the skills gap. “Collecting and storing data takes a different skill set from structuring the content to be queried, analyzed, augmented and combined,” said Levy. “Sourcing, accumulating and storing raw content is very technology-centric. Structuring the data for understanding, query and analysis is very analyst-centric. In many organizations, that second skill set doesn’t get the attention and staff that are necessary.”

Lessons learned

The most important data management precept is to understand what analysts need to accomplish, not just what data they need. “Meet the analysts where they are,” said Levy. “Rich data and cutting-edge analytic tools go to waste if analysts lack the skills to use them. By the same token, sophisticated analysts shouldn’t be constrained with rudimentary tools and everyday data management tasks.”

Second, be ready for the number of data sources and the overall data volume to keep growing. Don’t let the technology, staff capacity or skills become limiting factors. You want to be able to work with whatever useful data comes your way. Cybersecurity is that important.

Third, acknowledge that perfection isn’t possible, and cybersecurity is a moving target, said Levy. “The goal is to be as effective as possible without wasting resources – and to be prepared and flexible to meet the next new need, the next new challenge.”

As VP of the Cyber Business Unit at SAS, Stu Bradley oversees sales, product management, and product marketing for SAS’ cyberanalytics business. Previously, he was Senior Business Director for Security Intelligence Solutions, managing development and delivery strategy for SAS fraud, financial crimes, compliance, and public safety solutions. Bradley has 18 years of experience addressing clients’ most difficult business problems. Prior to SAS, he served as an executive manager at a leading risk and regulatory consultancy.